Problem solve Get help with specific problems with your technologies, process and projects.

Forensic analysis, the CSI of security

Forensics can give an organization a unique perspective on where breaches are taking place and how they are occurring, as well as how to prevent them.

Bryan Sartin

If your responsibilities include securing your company's network infrastructure, you're not alone. Thousands of IT administrators struggle day in and day out to ensure the safety and security of customer data, confidential employee information and irreplaceable company assets. It's a significant job even in the smallest companies with threats changing constantly and systems continuing to become more complex. Truth is, even with considerable advanced planning and extensive preparation, a security breach may still occur.

If an organization has experienced a known security breach, or if there is overwhelming evidence that a breach has occurred, it is likely the next question will be "how?" or "why?" Today, the concept of damage control is no longer enough when it comes to IT security. In addition to rapidly rectifying a problem, administrators need to know how and why something happened and take corrective action so that it doesn't happen again.

Partnering with an experienced forensics team can give an organization a unique perspective on where breaches are taking place and how they are occurring, as well as offering insight on how the organization should be secured and where it should focus IT spending. By better posturing spending budgets for baseline security assessments, organizations can maximize their security investments.

As an example, adoption of forensic analysis has been rapid in the financial services industry where the business model dictates paramount security needs due to the nature of the data. Programs such as Visa's Card-Holder Information Security Program and MasterCard's Site Data Protection Program illustrate this growing trend.

Undertaking a post-mortem
Think of the forensics analysis investigation as a network post-mortem. Much like criminal forensic investigators arrive at the scene of a crime to gather evidence, network forensics investigators conduct a third-party examination of security breaches involving customer nonpublic data.

The on-site component of the investigation should include three key components:

  • A discovery process focused on understanding the application and network infrastructure, as well as the business information flow of the organization
  • Interviews with key personnel to understand the facts from the customer's perspective and identify suitable sources of forensics data
  • Data collection intended to gather critical sources of forensic evidence to support the investigation, followed by comprehensive analysis.

The investigation involves establishing a timeline of the attack that effectively reconstructs the attacker's steps and sheds light on the extent of the breach, the tools and methods employed, and the source of the attack. Aside from identifying the extent and source of a suspected security breach, the investigation should also tie together bits of evidence left behind by the attacker to establish a footprint that can be used to assist in prosecution or in litigation support.

Criminal justice
To do justice to a forensics analysis, it is important to avoid two common mistakes organizations make after an attack that can compromise a successful investigation.

First, you must maintain the quality of the scene for investigation. Making any changes to the network prior to the investigation will slow the work of the forensics team, as they must weave through what's been changed or search for data that's been erased to find the attacker's footprint.

Second, you must ensure a level of quick response. While it is sometimes impossible for this to be avoided, organizations can get around this by being properly set up for incident response. This involves having the proper logging and alert notification facilities in place to be positioned for success.

Build a strong foundation
An experienced forensics team will be able to advise organizations on common patterns of attack and links between breach sources. Most often, they will highlight four common exposures: insufficient monitoring, weak application-level security, weak network security, and insufficient patch management. Furthermore, by viewing security assessments as the foundation of the security program, forensic investigations often reveal that a breach has occurred because cracks show the organization hasn't effectively applied proactive and reactive vulnerability assessments.

The best thing an organization can do to protect itself is to implement a best-of-breed security strategy that incorporates a baseline security assessment. This assessment should properly design the security structure and be combined with an in-house security policy that oversees the management, daily activities, and procedures of the organization. By using in-house tools with ongoing policy compliance and penetration testing, organizations are better positioned to avoid attack and support the forensic investigation once an attack occurs.

About the author:
Bryan Sartin is director of technology for Ubizen, where he is responsible for all customer-facing issues regarding the technology of its managed security solutions offerings. Companies rely on Ubizen OnlineGuardian services to manage, monitor and support security devices 24x7x365. Prior to joining Ubizen, Sartin worked in various senior positions at Exenet Technologies, Sayers Group and Winstar Communications.
This was last published in May 2004

Dig Deeper on Network Security Monitoring and Analysis